A recent vulnerability in the Ethereum network could have reportedly allowed hackers to gain massive profits from cryptocurrency exchanges which haven’t set up a Gas usage limit.
A Critical Vulnerability
A group of researchers discovered a vulnerability in Ethereum which allowed attackers to drain exchanges by burning their ETH on high transaction costs or to benefit directly by minting GasToken.
The report details that exchanges which allow parties to withdraw ETH to arbitrary addresses without setting gas usage limit could have been exposed to increased transaction fees. According to the paper, there are two different options of exploiting this vulnerability.
The first option would allow the hacker to drain the unprotected exchange by making it pay for large amounts of transaction fees. The second option would allow the attacker to mint GasToken for substantial profits by simply imposing a small amount of GasToken as a tax for “naïve users.”
Issues Purportedly Patched
Reportedly, the vulnerability only affected exchanges which initiate Ethereum transactions and not such which process them. Furthermore, the report confirms that decentralized exchanges, as well as other venues operating on smart contract transactions initiated by users, remained unaffected. The report also outlined that EVM-based blockchains and Ethereum Classic may also be affected.
According to the official Medium publication, the researchers have already connected to a bulk of the affected exchanges which have supposedly patched the vulnerability.
Additionally, the researchers have given recommendations for exchanges to implement gas limits on all transactions.
Implement reasonable gas limits on all transactions. If any expensive transactions are made, ensure that the user bears the cost. Fees for a given withdrawal should always cover the gas needed. – reads the report.
What do you think of the recently discovered vulnerability and the lack of protection in certain exchanges? Don’t hesitate to let us know in the comments below!
Images courtesy Bitcoinist archives, Shutterstock.
